Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 17 Jun 2025 15:50:46 GMT
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 1396e87a37b6 - main - tcp: count two previously ignored kinds of syncookie failures
Message-ID:  <202506171550.55HFokc9029590@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by glebius:

URL: https://cgit.FreeBSD.org/src/commit/?id=1396e87a37b6d4545d2c7579c31d81d96ba8b816

commit 1396e87a37b6d4545d2c7579c31d81d96ba8b816
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2025-06-17 15:50:29 +0000
Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2025-06-17 15:50:29 +0000

    tcp: count two previously ignored kinds of syncookie failures
    
    Reviewed by:            tuexen
    Differential Revision:  https://reviews.freebsd.org/D50899
---
 sys/netinet/tcp_syncache.c | 3 +++
 sys/netinet/tcp_var.h      | 2 ++
 usr.bin/netstat/inet.c     | 6 +++++-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 24ef871c953a..69217ca39ee4 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -1097,6 +1097,7 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 		 */
 		if (locked && !V_tcp_syncookies) {
 			SCH_UNLOCK(sch);
+			TCPSTAT_INC(tcps_sc_spurcookie);
 			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
 				log(LOG_DEBUG, "%s; %s: Spurious ACK, "
 				    "segment rejected (syncookies disabled)\n",
@@ -1106,6 +1107,7 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 		if (locked && !V_tcp_syncookiesonly &&
 		    sch->sch_last_overflow < time_uptime - SYNCOOKIE_LIFETIME) {
 			SCH_UNLOCK(sch);
+			TCPSTAT_INC(tcps_sc_spurcookie);
 			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
 				log(LOG_DEBUG, "%s; %s: Spurious ACK, "
 				    "segment rejected (no syncache entry)\n",
@@ -1119,6 +1121,7 @@ syncache_expand(struct in_conninfo *inc, struct tcpopt *to, struct tcphdr *th,
 			sc = &scs;
 			TCPSTAT_INC(tcps_sc_recvcookie);
 		} else {
+			TCPSTAT_INC(tcps_sc_failcookie);
 			if ((s = tcp_log_addrs(inc, th, NULL, NULL)))
 				log(LOG_DEBUG, "%s; %s: Segment failed "
 				    "SYNCOOKIE authentication, segment rejected "
diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h
index 4d49f5d2a954..d8822c40b17e 100644
--- a/sys/netinet/tcp_var.h
+++ b/sys/netinet/tcp_var.h
@@ -1015,6 +1015,8 @@ struct	tcpstat {
 	uint64_t tcps_sc_zonefail;	/* zalloc() failed */
 	uint64_t tcps_sc_sendcookie;	/* SYN cookie sent */
 	uint64_t tcps_sc_recvcookie;	/* SYN cookie received */
+	uint64_t tcps_sc_spurcookie;	/* SYN cookie spurious, rejected */
+	uint64_t tcps_sc_failcookie;	/* SYN cookie failed, rejected */
 
 	uint64_t tcps_hc_added;		/* entry added to hostcache */
 	uint64_t tcps_hc_bucketoverflow;/* hostcache per bucket limit hit */
diff --git a/usr.bin/netstat/inet.c b/usr.bin/netstat/inet.c
index 269afa42e079..139ff9294fde 100644
--- a/usr.bin/netstat/inet.c
+++ b/usr.bin/netstat/inet.c
@@ -768,8 +768,12 @@ tcp_stats(u_long off, const char *name, int af1 __unused, int proto __unused)
 	p1a(tcps_sc_unreach, "\t\t{:unreachable/%ju} {N:/unreach}\n");
 	p(tcps_sc_zonefail, "\t\t{:zone-failures/%ju} {N:/zone failure%s}\n");
 	p(tcps_sc_sendcookie, "\t{:sent-cookies/%ju} {N:/cookie%s sent}\n");
-	p(tcps_sc_recvcookie, "\t{:receivd-cookies/%ju} "
+	p(tcps_sc_recvcookie, "\t{:received-cookies/%ju} "
 	    "{N:/cookie%s received}\n");
+	p(tcps_sc_spurcookie, "\t{:spurious-cookies/%ju} "
+	    "{N:/spurious cookie%s rejected}\n");
+	p(tcps_sc_failcookie, "\t{:failed-cookies/%ju} "
+	    "{N:/failed cookie%s rejected}\n");
 
 	xo_close_container("syncache");
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202506171550.55HFokc9029590>